Sponsored Links

Sponsored Links

PS3 CPU Exploit Released by DarkHacker, METLDR Exploitation


Sponsored Links
180w ago - Today a PlayStation 3 hacker known as DarkHacker has released a PS3 CPU Exploit which he states will lead developers closer to METLDR exploitation.

From his site (linked above): This is a release of the hidden Cell Exploit found a while ago and one of the step taken to the metldr exploit i'm going to release the because i fell people should have the right to do as they wish and the information should be free to the public.

i know by releasing this exploit i'll probably be taken to court or sued but fck sony they can go to hell all i care for what there doing to us hackers i'll fight until the last min i got of my life if i have to for the right of the people.

for this exploit your going need a leaked service pdf which is below:


Time to explain this now listen up.

i know you all remember the exploit with ram and so on back in 3.15 well your going look for the 'CELL RESET LINE' and that going be where the exploit is you know how the small 60ms or ns i dont remember thing sent to ps3 for the read and write of the ram ?

well use line send that and connect it to the cell reset line. (FIND IT IN DOC) and ground on outside of case and the example of what can be done with this is a cold reset which still has acess to the memory from gameos - don't let this die out people i'm taking a big risk by giving you all this information.

- thanks to mitchy my personal hard drive - note i did not upload the documents and if requested i'll remove the links.

Example of what can be done with this -- untouched memory on cold boot full access to lv2 and all game os memory.

Below is some additional information from IRC, along with Mathieulh claiming ownership of the PS3 CPU Exploit released by DarkHacker:

Mathieulh: Matt_P yeah it has nothing to do with an exploit, all it allows is dumping 1.10 to 3.15 lv2
Mathieulh: using a coldboot and a small stub
Mathieulh: I gave this trick to darkhacker on msn months ago, looks like he leaked it for fame, I don't give a damn anyway, I am just pissed at lamers leaking stuff
Mathieulh: even useless stuffs like these
Mathieulh: and of course you can't dump metldr or any loader for that matter using this trick
Mathieulh: it's not even an exploit, the reset line is actually used every time your ps3 resets
Mathieulh: it's a feature
Mathieulh: you just abuse it of a sort along with otheros to dump lv2
Mathieulh: since we can decrypt lv2 you don't really need to dump it anymore...
Mathieulh: not to mention otheros is gone

From defyboy: [Register or Login to view links]

"All this does is resets the cell processor to its initial state after bootup. It exploits a weakness in the security where RAM is not cleared on bootup.

In order to successfully complete this hack we would need to write to an area of memory that would be executed on startup. There are two ways to do this, we could either do it with hardware, or software. Doing it by hardware is out of the question as the RAM is encrypted, and we are not able to access the keys required to access it. The other way would be via software, as was done with geohot’s memory glitching explot which ran through otherOS.

Basically we need to execute our own code to write to memory, If we are capable of doing this in the first place, what is the need for this hack? There is none."

Finally, from rms: [Register or Login to view links]

"Uhm, the thing is, you have to have access to that RAM, and you need OtherOS or another kernel that has access to that area of RAM. You also have to make sure nothing writes to that region, which will surely almost never happen. You also need enough luck to get the geohot dangling HTAB exploit working.

See, a hash page table, has the page table entries (PTEs) which provide Virtual Address to Physical Address (VA-to-PA or VA-to-RA), which is a mapping for virtual addresses such as 08000000000000001 to a physical address such as 040000000000. The dangling HTAB exploit is known to work in firmware 3.41 and 3.15. One needs to glitch the RAM bus when the page table write occurs, then create a new virtual page entry and hope it lies in that region you want.

Then, you can dump your data. This requires some good luck though, and some good button pressing skills! Also, this is very very very far from metldr. asecure_loader or metldr is decrypted inside the isolated SPU, or synergistic processing unit (/me shakes fist at Sony’s lawyers for calling it a “Stable Processing Unit”, which is not accessible by any other SPU or PowerPC unit. The only thing that has access to that SPU is the program inside the isolated SPU.

Also, I also don’t trust this guy because… he confused nanosecond RAM timing with millisecond RAM timing. There’s a huge difference! 1 millisecond is about 1 million nanoseconds.

Also, this is not the exploit Mathieulh tweeted about. This is far from it, it’s sort of like as far as the South Pole to the North Pole ."




Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 35 Comments - Go to Forum Thread »

• Please Register at PS3News.com or Login to make comments on Site News articles. Thanks!

costocart's Avatar
#35 - costocart - 180w ago
To mathieulh... stop whinning! You have the knowledge but you're too afraid to share it... that's your problem. But please shut up when other people who is willing to take the risk to share this kind of info to the public.

pjmiller435's Avatar
#34 - pjmiller435 - 180w ago
amen! finally headed in the right direction.

moja's Avatar
#33 - moja - 180w ago
Damn, that's what I get. Thanks for clearing that up guys.

tonybologna's Avatar
#32 - tonybologna - 180w ago
yes but math found this months ago, he just happened to teach it to some kiddie Dark a few days ago who decided to post it and claim it as his own.. just another script kiddie looking for efame.

That's what I was referring to barry in saying it was basically the same thing as before.

DeViL304's Avatar
#31 - DeViL304 - 180w ago
Correct , only it was pretty much a year ago that math told "dark" about it. He probably knew about it for longer, geohot developed a bld that would dump the ram on booting otherOS.

Sponsored Links

Sponsored Links
Sponsored Links

Sponsored Links







Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News